The Hacker News — Cyber Security, Hacking, Technology News

A security researcher has found four vulnerabilities, including a critical remote code execution bug, in OpenVPN, those were not even caught in the two big security audits of the open source VPN software this year.

OpenVPN is one of the most popular and widely used open source VPN software solutions mostly used for various connectivity needs, but it is especially popular for anonymous and private access to the Internet.

This year, two independent security audits of OpenVPN were carried out to look for flaws, backdoors, and other defects in the open source software – one conducted by a team led by Johns Hopkins University crypto-boffin Dr. Matthew D. Green.

The audits resulted in a patch of a few vulnerabilities in the widely used open source software, giving OpenVPN a clean chit.

Researcher Used Fuzzer to find Bugs in OpenVPN

Researcher Guido Vranken of Netherlands exclusively used a fuzzer and recently discovered four security holes in OpenVPN that escaped both the security audits.

Three of the four flaws the researcher discovered are server-side, two of which cause servers to crash, while the remaining is a client-side bug that could allow an attacker to steal a password to gain access to the proxy.

The most critical vulnerability of all is CVE-2017-7521, which affects OpenVPN server-side and resides in extract_x509_extension() function which deals with SSL certificates.

The vulnerability could allow a remote authenticated attacker to craft and send a certificate that either crashes the OpenVPN service or triggers a double free that potentially lead to remote code execution within the server.

Vranken was not able to demonstrate the RCE bug but argued that the remote code execution could be achieved in theory. In a report published Wednesday, he had explained how one could achieve a remote memory leak because of the service's failure to check a particular return value.

"If you look in the OpenSSL source code, one way through which ASN1_STRING_to_UTF8 can fail is if it cannot allocate sufficient memory," Vranken said in his report. "So the fact that an attacker can trigger a double-free IF the server has insufficient memory, combined with the fact that the attacker can arbitrarily drain the server of memory, makes it plausible that a remote double-free can be achieved."

"But if a double-free is inadequate to achieve remote code execution, there are probably other functions, whose behavior is wildly different under memory duress, that you can exploit."

The second vulnerability, CVE-2017-7520, resides in the way OpenVPN connects to a Windows NTLM version 2 proxy.

A man-in-the-middle attacker between the OpenVPN client and the proxy server can either remotely crash the client or steal the user's password to the proxy from a memory leak.

The vulnerability could be triggered only under certain circumstances, like when the client connects to a proxy through NTLM version 2 authentication, or when the client specifies a username ending with a backslash.

"If clients use a HTTP proxy with NTLM authentication (--http-proxy [|'auto'|'auto-nct'] ntlm2), a man-in-the-middle [MITM] attacker between the client and the proxy can cause the client to crash or disclose at most 96 bytes of stack memory," the OpenVPN team explains.

"The disclosed stack memory is likely to contain the proxy password. If the proxy password is not reused, this is unlikely to compromise the security of the OpenVPN tunnel itself. Clients who do not use the --http-proxy option with ntlm2 authentication are not affected."

Other two vulnerabilities (CVE-2017-7508 and CVE-2017-7522) are remote server crashes which could trigger by sending maliciously-crafted IPv6 packets or malicious data post-authentication.

Patches for Servers and Clients Already Available

Vranken responsibly disclosed all the vulnerabilities he discovered to the OpenVPN team in May and June and the team has already patched the issues in its latest version of the VPN software.

While there is no proof of any of the vulnerabilities had been publicly exploited, users are strongly advised to update their installations to OpenVPN versions 2.4.3 or 2.3.17 as soon as possible in order to be on the safer side.

For more in-depth technical details of all the vulnerabilities, you can head on to the report titled, "The OpenVPN Post-Audit Bug Bonanza," published by Vranken on Wednesday.

Microsoft today made its PowerShell scripting language and command-line shell available to the open source developer community on GitHub under the permissive MIT license.

The company has also launched alpha versions of PowerShell for Linux (specifically Red Hat, Ubuntu, and CentOS) and Mac OS X, in addition, of course, to Windows.

Now, people can download binaries of the software, as well as access source code of the app from the new PowerShell GitHub page.

"Users across Windows and Linux, current and new PowerShell users, even application developers can experience a rich interactive scripting language as well as a heterogeneous automation and configuration management that works well with your existing tools," Microsoft says in its blog post.

"Your PowerShell skills are now even more marketable, and your Windows and Linux teams, who may have had to work separately, can now work together more easily."

PowerShell is Microsoft’s command line shell for Windows power users, and an extensible scripting language for automating system tasks.

Microsoft is aware that the company now operates in a "multi-platform, multi-cloud, multi-OS world." Since PowerShell is built on Microsoft's .NET platform, the company brought .NET Core, the version of .NET which runs cross-platform, to bring PowerShell to other platforms.

Microsoft has already planned to ship PowerShell "Core" with Nano Server for Windows Server 2016, and the newly announced release will run on .NET Core on Mac as well as Linux.

Although this recent release of PowerShell is Alpha-based and community supported, an official Microsoft version of PowerShell based on open source to anyone running a supported version of Windows will be published in the future, Microsoft notes.

Hacking into computer, networks and websites could easily land you in jail. But what if you could freely test and practice your hacking skills in a legally safe environment?

Facebook just open-sourced its Capture The Flag (CTF) platform to encourage students as well as developers to learn about cyber security and secure coding practices.

Capture the Flag hacking competitions are conducted at various cyber security events and conferences, including Def Con, in order to highlight the real-world exploits and cyber attacks.

The CTF program is an effective way of identifying young people with exceptional computer skills, as well as teaching beginners about common and advanced exploitation techniques to ensure they develop secure programs that cannot be easily compromised.

Facebook CTF Video Demo:

Since 2013, Facebook has itself hosted CTF competitions at events across the world and now, it is opening the platform to masses by releasing its source code on GitHub.

"We built a free platform for everyone to use that takes care of the backend requirements of running a CTF, including the game map, team registration, and scoring," said Gulshan Singh, Software Engineer at Facebook Threat Infrastructure.

In general, Capture The Flag competition hosts a series of security challenges, where participants have to hack into defined targets and then defending them from other skilled hackers.

"The current set of challenges include problems in reverse-engineering, forensics, web application security, cryptography, and binary exploitation. You can also build your own challenges to use with the Facebook platform for a customized competition," Mr. Singh said.

Many institutions and organizations now have realized that gamification of cyber security and hacking is beyond the traditional ways to train your mental muscles and keep sharp your skills that otherwise only come up when doomsday scenarios happen.

Facebook has open-sourced Hack Codegen – its library for automatically generating Hack code, allowing outside developers to automate some of their routine work while developing large programs.

HACK is the Facebook's own programming language designed to build complex web sites and other software quickly and without many flaws.

HACK programming language is developed for HipHop Virtual Machine (HHVM) – an open-source virtual machine designed to execute programs written in Hack and PHP. The top 20 open source frameworks on Github run on HHVM.

HACK CodeGen is Now Open Source

While making the announcement of open-sourcing Hack Codegen, which automatically generates hack code, Facebook's software engineer Alejandro Marcu said in a blog post:

"Being able to generate code through automated code generation allows [developers] to increase the level of abstraction by making frameworks that are declarative and that are translated into high-quality Hack code.""We've been using Hack Codegen at Facebook for a while. After seeing so much internal success, we open-sourced this library so that more people could take advantage of it."

However, the social media giant later discovered that the technique was not good enough to scale up and realized that it need a good library to generate code. This results in the birth of Hack Codegen.

Code That Writes Code

Hack Codegen simplifies code generation by helping developers create a schema, which holds code for multiple times usage, and a way to generate all the related functionality required to support that code.

The library only needs a developer to provide the required details about the particular implementation, although rest of the task is done by the software, such as generation of classes, variables, methods, functions, interfaces, files, and other standard blocks of code.

The Hack Codegen library includes:

Hack_builder to deal with the concatenation

New lines

Indentation

Braces

Hack keywords

Collections

Signed files to re-generate code automatically when a schema is changed

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

Many Smartphone applications support, installation or app data storage to an external SD Card, that can be helpful in saving space on the internal memory, but also vulnerable to hackers.

Typically, an app that has permission to read and write data from an SD card has the permission to read all data on that card, including information written by other apps. This means that if you install a malicious application by mistake, it can easily steal any sensitive data from your Phone's SD Card.

To prevent the data from being misused by any other app, the best implementation is to encrypt the data, but that will drop the performance of the device.

On its 10th birthday, as a treat for mobile developers, Facebook has unveiled the source code of its Android security tool called 'Conceal' cryptographic API Java library, that will allow app developers to encrypt data on disk in the most resource efficient way, with an easy-to-use programming interface.

Smaller than other cryptography standards and built for speed, the Conceal might end up the best solution. "We saw an opportunity to do things better and decided to encrypt the private data that we stored on the SD card so that it would not be accessible to other apps" Facebook Software Engineer said in a blog post.

The tool is based on algorithms from OpenSSL, a common open source encryption system for the web:

"Conceal doesn't implement any crypto. Instead, it uses specific cryptographic algorithms from OpenSSL. OpenSSL's crypto library is about 1MB when built for armv7. By using only the parts of OpenSSL we needed, we were able to reduce the size of OpenSSL to 85KB. We believe providing a smaller library will reduce the friction of adopting state of the art encryption algorithms, make it easier to handle different Android platform versions, and enable us to quickly incorporate fixes for any security vulnerabilities in OpenSSL as well."

Conceal is smaller and faster than existing Java crypto libraries, uses AES-GCM, an authenticated encryption algorithm that helps to detect any potential tampering with data. "We instead use AES-GCM which is an authenticated encryption algorithm that not only encrypts the data, but also computes a MAC of the data at the same time." he said.

The library also provides resources for storing and managing keys to protect against known weaknesses in the Android's random number generator. Conceal officially supports Android 2.3 and higher (Gingerbread). It will run on 2.2 (Froyo) phones as well.

The company is already using the tool with the primary Facebook app that runs on Android. Developers can access the Conceal API from GITHUB.